Changes in postlfs/security/iptables.xml [da54a62:92d18a9]

File:

• postlfs/security/iptables.xml (modified) (24 diffs)

postlfs/security/iptables.xml

@@ -7 +7 @@
   <!ENTITY iptables-download-http "http://www.netfilter.org/projects/iptables/files/iptables-&iptables-version;.tar.bz2">
   <!ENTITY iptables-download-ftp  "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
-  <!ENTITY iptables-md5sum        "602ba7e937c72fbb7b1c2b71c3b0004b">
-  <!ENTITY iptables-size          "704 KB">
-  <!ENTITY iptables-buildsize     "22 MB">
-  <!ENTITY iptables-time          "0.1 SBU">
+  <!ENTITY iptables-md5sum        "bc0f0adccc93c09dc5b7507ccba93148">
+  <!ENTITY iptables-size          "700 KB">
+  <!ENTITY iptables-buildsize     "17 MB">
+  <!ENTITY iptables-time          "0.2 SBU">
 ]>
 
@@ -17 +17 @@
 
   <sect1info>
+    <othername>$LastChangedBy$</othername>
     <date>$Date$</date>
   </sect1info>
@@ -31 +32 @@
     <para>
       <application>iptables</application> is a userspace command line program
-      used to configure the Linux 2.4 and later kernel packet filtering ruleset.
-    </para>
-
-    &lfs110a_checked;
+      used to configure Linux 2.4 and later kernel packet filtering ruleset.
+    </para>
+
+    &lfs10_checked;
 
     <bridgehead renderas="sect3">Package Information</bridgehead>
@@ -77 +78 @@
       <xref linkend="libpcap"/> (required for nfsypproxy support),
       <ulink url="https://github.com/tadamdam/bpf-utils">bpf-utils</ulink>
-      (required for Berkeley Packet Filter support),
+      (required for Berkely Packet Filter support),
       <ulink url="https://netfilter.org/projects/libnfnetlink/">libnfnetlink</ulink>
       (required for connlabel support),
-      <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack</ulink>
-      (required for connlabel support), and 
+      <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack"</ulink>, and 
+      (required for connlabel support)
       <ulink url="https://netfilter.org/projects/nftables/">nftables</ulink>
     </para>
@@ -148 +149 @@
 
 <screen><userinput>./configure --prefix=/usr      \
+            --sbindir=/sbin    \
             --disable-nftables \
-            --enable-libipq    &amp;&amp;
+            --enable-libipq    \
+            --with-xtlibdir=/lib/xtables &amp;&amp;
 make</userinput></screen>
 
@@ -165 +168 @@
     </para>
 
-<screen role="root"><userinput>make install</userinput></screen>
+<screen role="root"><userinput>make install &amp;&amp;
+ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml &amp;&amp;
+
+for file in ip4tc ip6tc ipq xtables
+do
+  mv -v /usr/lib/lib${file}.so.* /lib &amp;&amp;
+  ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
+done</userinput></screen>
 
   </sect2>
@@ -174 +184 @@
     <para>
       <parameter>--disable-nftables</parameter>: This switch disables building
-      nftables compatibility. <!--Omit this switch if you have installed
+      nftables compat. <!--Omit this switch if you have installed
       <xref linkend="nftables"/>.-->
     </para>
@@ -185 +195 @@
 
     <para>
+      <parameter>--with-xtlibdir=/lib/xtables</parameter>: Ensure all
+      <application>iptables</application> modules are installed in the
+      <filename class="directory">/lib/xtables</filename> directory.
+    </para>
+
+    <para>
       <option>--enable-nfsynproxy</option>: This switch enables installation
       of <application>nfsynproxy</application> SYNPROXY configuration tool.
+    </para>
+
+    <para>
+      <command>ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml</command>:
+      Ensure the symbolic link for <command>iptables-xml</command> is relative.
     </para>
 
@@ -220 +241 @@
       <para>
         A Personal Firewall is designed to let you access all the
-        services offered on the Internet while keeping your computer secure and
+        services offered on the Internet, but keep your box secure and
         your data private.
       </para>
@@ -229 +250 @@
         url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
         Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
-        to the Linux 5.x kernels.
+        to the Linux 3.x kernels.
       </para>
 
@@ -301 +322 @@
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
-# Log everything else.
+# Log everything else. What's Windows' latest exploitable vulnerability?
 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
 
@@ -379 +400 @@
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
-# Log everything else.
+# Log everything else. What's Windows' latest exploitable vulnerability?
 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
 
@@ -413 +434 @@
 
       <para>
-        A Network Firewall has two interfaces, one connected to an
+        A network Firewall has two interfaces, one connected to an
         intranet, in this example <emphasis role="strong">LAN1</emphasis>,
         and one connected to the Internet, here <emphasis
         role="strong">WAN1</emphasis>. To provide the maximum security
         for the firewall itself, make sure that there are no unnecessary
-        servers running on it such as <application>X11</application>.
+        servers running on it such as <application>X11</application> et al.
         As a general principle, the firewall itself should not access
         any untrusted service (think of a remote server giving answers that
@@ -439 +460 @@
 echo "You can find additional information"
 echo "about firewalls in Chapter 4 of the BLFS book."
-echo "https://www.&lfs-domainname;/blfs"
+echo "http://www.&lfs-domainname;/blfs"
 echo
 
@@ -735 +756 @@
         </listitem>
         <listitem>
-          <para id='fw-BB-4-ipt' xreflabel="BusyBox with iptables example number 4">
+          <para id='fw-BB-4-ipt' xreflabel="BusyBox with iptable example number 4">
             If you are frequently accessing FTP servers or enjoy chatting, you
             might notice delays because some implementations of these daemons
@@ -853 +874 @@
       <seglistitem>
         <seg>
-          ip6tables, 
-          ip6tables-apply,
-          ip6tables-legacy,
-          ip6tables-legacy-restore,
-          ip6tables-legacy-save,
-          ip6tables-restore, 
-          ip6tables-save, 
-          iptables, 
-          iptables-apply,
-          iptables-legacy,
-          iptables-legacy-restore,
-          iptables-legacy-apply,
-          iptables-restore,
-          iptables-save, 
-          iptables-xml, 
-          nfsynproxy (optional),
-          and xtables-multi
+          ip6tables, ip6tables-restore, ip6tables-save, iptables, iptables-restore,
+          iptables-save, iptables-xml, nfsynproxy (optional) and xtables-multi
         </seg>
         <seg>
-          libip4tc.so, 
-          libip6tc.so, 
-          libipq.so, 
-          libiptc.so,
-          and libxtables.so
+          libip4tc.so, libip6tc.so, libipq.so, libiptc.so, and libxtables.so
         </seg>
         <seg>
-          /lib/xtables and 
-          /usr/include/libiptc
+          /lib/xtables and /usr/include/libiptc
         </seg>
       </seglistitem>
@@ -895 +896 @@
           <para>
             is used to set up, maintain, and inspect the tables of
-            IP packet filter rules in the Linux kernel
+            IP packet filter rules in the Linux kernel.
           </para>
           <indexterm zone="iptables iptables-prog">
@@ -903 +904 @@
       </varlistentry>
 
-      <varlistentry id="iptables-apply">
-        <term><command>iptables-apply</command></term>
-        <listitem>
-          <para>
-            is a safer way to update iptables remotely
-          </para>
-          <indexterm zone="iptables iptables-apply">
-            <primary sortas="b-iptables-apply">iptables-apply</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="iptables-legacy">
-        <term><command>iptables-legacy</command></term>
-        <listitem>
-          <para>
-            is used to interact with iptables using the legacy command set
-          </para>
-          <indexterm zone="iptables iptables-legacy">
-            <primary sortas="b-iptables-legacy">iptables-legacy</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="iptables-legacy-restore">
-        <term><command>iptables-legacy-restore</command></term>
-        <listitem>
-          <para>
-            is used to restore a set of legacy iptables rules
-          </para>
-          <indexterm zone="iptables iptables-legacy-restore">
-            <primary sortas="b-iptables-legacy-restore">iptables-legacy-restore</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry id="iptables-legacy-save">
-        <term><command>iptables-legacy-save</command></term>
-        <listitem>
-          <para>
-            is used to save a set of legacy iptables rules
-          </para>
-          <indexterm zone="iptables iptables-legacy-save">
-            <primary sortas="b-iptables-legacy-save">iptables-legacy-save</primary>
-          </indexterm>
-        </listitem>
-      </varlistentry>
-
       <varlistentry id="iptables-restore">
         <term><command>iptables-restore</command></term>
@@ -957 +910 @@
             is used to restore IP Tables from data specified on
             STDIN. Use I/O redirection provided by your
-            shell to read from a file
+            shell to read from a file.
           </para>
           <indexterm zone="iptables iptables-restore">
@@ -971 +924 @@
             is used to dump the contents of an IP Table in easily
             parseable format to STDOUT. Use I/O-redirection
-            provided by your shell to write to a file
+            provided by your shell to write to a file.
           </para>
           <indexterm zone="iptables iptables-save">
@@ -986 +939 @@
             <command>iptables-save</command> to an XML format. Using the
             <filename>iptables.xslt</filename> stylesheet converts the XML
-            back to the format of <command>iptables-restore</command>
+            back to the format of <command>iptables-restore</command>.
           </para>
           <indexterm zone="iptables iptables-xml">
@@ -999 +952 @@
           <para>
             are a set of commands for IPV6 that parallel the iptables
-            commands above
+            commands above.
           </para>
           <indexterm zone="iptables ip6tables">
@@ -1013 +966 @@
             (optional) configuration tool. SYNPROXY target makes handling of
             large SYN floods possible without the large performance penalties
-            imposed by the connection tracking in such cases
+            imposed by the connection tracking in such cases.
           </para>
           <indexterm zone="iptables nfsynproxy">
@@ -1025 +978 @@
         <listitem>
           <para>
-            is a binary that behaves according to the name it is called by
+            is a binary that behaves according to the name it is called by.
           </para>
           <indexterm zone="iptables xtables-multi">